Abusing PuppetDB

[Trevor Vaughan]

I'm wondering if anyone has a relatively straightforward way to allow a group of Puppet Masters to access a shared data table in PuppetDB to which they can read and write named JSON objects.

No other hosts should be able to access the data.

Thanks,

Trevor

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvau...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

[Ken Barber]

> I'm wondering if anyone has a relatively straightforward way to allow a
> group of Puppet Masters to access a shared data table in PuppetDB to which
> they can read and write named JSON objects.
>
> No other hosts should be able to access the data.

Nothing like this has been provided formally today.

ken.

[Trevor Vaughan]

I like the word 'formally'. Any informal material that you know of?

If I can get what I want working, I'll push upstream, but it's always easier to start from a base.

Thanks,

Trevor

ken.

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAE4bNTk9ctc8%3DO%2BuYXmTRJUP9SMFE685VMJtrTR%2BKA-LoLCDZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Spencer Krum]

Can you flesh out a bit more what you are looking for? If I'm reading between the lines correctly you may be better served with a database backed hiera backend.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVBW07jYwcTj5TzS3swdgHE97EK_N3Nd2hjy93PLMwpkg%40mail.gmail.com.

[Trevor Vaughan]

I'm actually looking for a way to add dynamically created data items to a common data store for multiple clustered puppet masters.

Various Ideas:

Redis or Riak: One per Puppet Master

  Pros: Fast and probably redundant enough

  Cons: Possibly not atomic enough and adds a lot of complexity

Clustered MySQL or PostgreSQL: One per PM 

  Pros: Atomic and reliable

  Cons: Complex

Multi-Master LDAP

  Pros: Atomic, fast reads

  Cons: Not really all that many but why do this when we're already sitting on a Postgres solution that will need to scale in the future anyway.

But wait! Option #2 is *almost* present with PuppetDB already so, why reinvent the wheel, just use the existing database hooks and API to do this for you.

But, obviously, this data needs to be both dynamic as well as tightly restricted to the hosts that are allowed to touch it.

Thanks,

Trevor

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CADt6FWPKjHFdiZXQHmcbYeGCkHuM4PUgQLEyJ_DyKHnXsY8hiw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Leonardo Rodrigues de Mello]

If I understand it correctly,

What about writing one Hiera backend . This should be "easy", and you will leverage all the hiera puppet support and compatibility.

You could write a redis or riak hiera backend.

I don't, think writing this using postgres or mysql would scale at least for writes. But writes are much less frequent than writes in this use case. 

Puppetdb does some magic to make the lowest writes as possible to the database.

http://docs.puppetlabs.com/hiera/1/custom_backends.html

Examples
https://github.com/reliantsecurity/hiera-redis/blob/master/README.md
http://beingasysadmin.wordpress.com/2012/11/24/hiera-http-and-riak/
https://github.com/garethr/hiera-etcd/blob/master/README.md

Best
lmello

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoXJ%3DP%3DLBt%3Dd4SmLbgikT%3Dfpeigm1-YN1bn81-k8LNGSQg%40mail.gmail.com.

[Trevor Vaughan]

Unfortunately, I probably am looking at yet another layer of infrastructure glue for clustering.

In this case, writes aren't only infrequent, they're downright rare but reads will happen at each compile.

I'm not sure if, in this case, adding the extra layer of Hiera makes sense since it would just effectively be translating a hash into a hash in most cases but I'll take a look at it.

On the bright side, I might actually get to try out some of the proposed semaphore techniques, particularly if I can get a data access control mechanism figured out.

Thanks,

Trevor

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAM%3D8oNKKOSZDiEFXzV8xZ-3n0pQzrrfMe6jqN52%2Bz7bWzCs7pA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.